Sometimes you may want to find out which domain controller your computer is authenticated with (your Logon Server) This can come in handy when there are problems with enforcing group policies or when users complain about slow logon. A user’s computer may be authenticated to the wrong domain controller if the nearest DC is not available, a firewall is blocking access to it, Active Directory sites or subnets are incorrectly configured, or problems with DNS. Huh. As a result, a user can get all the GPO settings, scripts etc from any other DC instead of the nearest DC. This can result in slow GPO processing, slow software deployment, etc.
material:
How to identify which DC a computer is authenticated to?
You can locate the domain controller you’re logged into by using a few methods:
If you logged on to a computer using your local account, your computer name will be shown instead of the domain controller name LogonServer variable.
If you know the domain controller, you can retrieve user information from the logon DC security log (for example, the user’s logon history for the domain and other logs).
How does Windows find the nearest Domain Controller?
netlogon The service is responsible for discovering LogonServer while Windows is booting. The service should be running:
get-service netlogon
In a simple way, the process of finding a domain controller by a Windows client looks like this:
- NetLogon sends DNS query to get list of domain controllers (SVR
_ldap._tcp.dc._msdcs.domain_) on Windows boot; - Returns a list of DCs in the DNS domain;
- The client sends an LDAP query to the DC to obtain the AD site from its IP address;
- Returns the AD site matching the DC client’s IP or the nearest site (this information is cached in the registry:
HKLM\System\CurrentControlSet\Services\Netlogon\Parametersand used at next logon for faster search); - The client requests a list of domain controllers on the target site via DNS
_ tcp.sitename._sites..,
- Windows AD sends requests to all DCs on the site and the one that responds first is used as the logonserver to perform authentication.
nltest /SC_RESET:WOSHUB\MUN-DC02.woshub.com
Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\MUN-DC02.woshub.com Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully
If the specified DC is not available, an error will appear:
I_NetLogonControl failed: Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
If none of the domain controllers are available or the computer is disconnected from the network, the following message appears when the user logs on:
There are currently no logon servers available to service the logon request.
You can only log on to such a computer by using the domain user’s cached credentials.
You can locate the nearest domain controller by site hierarchy, subnet, and weight using the Get-ADDomainController cmdlet from the Active Directory for PowerShell module:
Get-ADDomainController -Discover -NextClosestSite
This will allow you to find the name of the domain controller through which the computer should authenticate. If it’s different than the current one, you’ll have to troubleshoot it.
Leave a Comment